I am trying to figure that bug. I have withness the bug twice on
a server although I am using ctx-15 and ctx-16 on many servers.

The big difference between ctx-15 and the previous is the way
the struct iproot_info is used. In previous kernel, only struct task
was referencing struct iproot pointers. A reference count was maintained
when a new process was created and when a process was ending. Easy.

In ctx-15, sockets also reference those pointers, so have to handle
the reference count. The big issue when debugging ctx-15 was to
realised that sockets (struct sock) were copied to other struct such
as tcp_tw_bucket and that some common routine were use
to handle both struct sock and struct tcp_tw_bucket. Anyway, the
reference count stuff, while trivial (one line of core here and there) took
some time to get right (one line of code here and there, but where :-) ).

Now, I realise that ipv6 is sharing much of the code of ipv4. It does
share the socket initialisation code, but it use the same
cleanup function: inet_sock_destruct. This function does the reference
count stuff on iproot_info using a non initialised pointer. Oops.